This, in my opinion, is the right answer for the problem identified in the paren... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

caseyross on April 11, 2022 | parent | context | favorite | on: Node.js packages don't deserve trust

This, in my opinion, is the right answer for the problem identified in the parent blogpost. Rather than trying to get every single package author to adopt some unified capability token scheme in their code, just statically analyze all dependencies from the outside and report the capabilities they actually use.

It would be even better if something like this could be integrated directly into the package management tool itself, so that you could run `npm update` and get back "New dangerous API usage in package X version a.b.c: filesystem access. Type package name to acknowledge and upgrade."

feross on April 11, 2022 [–]

Thanks. Glad you like our approach.

> It would be even better if something like this could be integrated directly into the package management tool itself

We're planning to build this. However right now, the primary way to consume Socket.dev data is through our GitHub app (https://socket.dev/integrations).

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact